How do you configure trust for private CA?
Closed this issue · 2 comments
svenska-primekey commented
Trying to wrestle with the limited documentation on how this integration connects to EJBCA when EJBCA uses a private CA for the TLS. Getting this error in the pod logs:
2023-07-29T20:40:07Z ERROR Reconciler error {"controller": "issuer", "controllerGroup": "ejbca-issuer.keyfactor.com", "controllerKind": "Issuer", "Issuer": {"name":"issuer-sample","namespace":"ejbca-issuer-system"}, "namespace": "ejbca-issuer-system", "name": "issuer-sample", "reconcileID": "d9e14294-8b0a-46f0-bca7-d7a956414e83", "error": "healthcheck failed: Get \"https://ejbca-internal.ejbca-k8s/ejbca/ejbca-rest-api/v1/certificate/status\": x509: certificate signed by unknown authority"}
m8rmclaren commented
Hi Sven, thank you for the issue; apologies that this wasn't addressed in the initial version. Here are the changes I've made:
- Add Configuration field in the Keyfactor EJBCA Go Client SDK to enable setting a custom trusted root (60ee494)
- Add
caSecretName
configuration field in Issuer and ClusterIssuer custom resource specs (92d9876)
I've also updated the README to reflect these changes, but the following is an example of an Issuer resource definition:
apiVersion: ejbca-issuer.keyfactor.com/v1alpha1
kind: Issuer
metadata:
labels:
app.kubernetes.io/name: issuer
app.kubernetes.io/instance: issuer-sample
app.kubernetes.io/part-of: ejbca-issuer
app.kubernetes.io/created-by: ejbca-issuer
name: issuer-sample
spec:
hostname: ""
ejbcaSecretName: ""
certificateAuthorityName: ""
certificateProfileName: ""
endEntityProfileName: ""
caSecretName: ""
The data in the secret specified in caSecretName
can be under any tag name, just as long as there is only one field. This allows you to create the secret in a more flexible way, such as with the below command:
kubectl -n ejbca-issuer-system create secret generic ejbca-ca-secret --from-file=<filename>
I'll keep this issue open until I confirm that the problem is resolved.
m8rmclaren commented
Resolved in c9bc15f